b'         OFFICE OF INSPECTOR GENERAL\n\n                                   Catalyst for Improving the Environment\n\n\nEvaluation Report\n\n\n\n\n         Federal Information Security\n         Management Act\n\n\n         Fiscal Year 2004 Status of EPA\xe2\x80\x99s\n         Computer Security Program\n\n         Report No. 2004-S-00007\n\n\n         September 30, 2004\n\x0cReport Contributors:                               Ed Densmore\n                                                   Anita Mooney\n                                                   Vincent Campbell\n                                                   Cheryl Reid\n\n\n\n\n      Abbreviations\n\n      EPA        Environmental Protection Agency\n      C&A        Certification and Accreditation\n      FISMA      Federal Information Security Management Act\n      GAO        Government Accountability Office\n      IFMS       Integrated Financial Management System\n      IT         Information Technology\n      OIG        Office of Inspector General\n      OMB        Office of Management and Budget\n      POA&M      Plan of Action and Milestones\n\x0c                       UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n                                                                           THE INSPECTOR GENERAL\n\n\n\n\n                                      September 30, 2004\nMEMORANDUM\n\nSUBJECT:            Federal Information Security Management Act:\n                    Fiscal Year 2004 Status of EPA\xe2\x80\x99s Computer Security Program\n                    Report No. 2004-S-00007\n\nTO:                 Michael O. Leavitt\n                    Administrator\n\nAttached is our final report entitled Federal Information Security Management Act: Fiscal Year\n2004 Status of EPA\xe2\x80\x99s Computer Security Program. This report synopsizes the results of\ninformation technology security work the U.S. Environmental Protection Agency\xe2\x80\x99s Office of\nInspector General (OIG) performed during Fiscal Year (FY) 2004. This report includes the\nOIG\xe2\x80\x99s completed FY 2004 FISMA Reporting Template, as prescribed by the Office of\nManagement and Budget (OMB).\n\nIn accordance with OMB reporting instructions, I am forwarding this report to you for\nsubmission, along with the Agency\xe2\x80\x99s required information, to the Director, OMB.\n\n\n\n\n                                      Nikki L. Tinsley /s/\n\nAttachment\n\ncc:\nK. Nelson, Assistant Administrator for Environmental Information (OEI) (2810A)\nM. Day, Director, Office of Technology Operations and Planning (OTOP) (2831T)\nG. Bonina, Senior Agency Information Security Officer (2831T)\nR. Gonzalez, Director, National Technology Services Division (NTSD) (N229-01)\nM. Cody, Associate Director, Technical Information Security Staff (TISS) (2831T)\nJ. Gibson, Operations Security Manager, NTSD (N276-01)\nJ. Worthington, OEI Audit Coordinator (2812T)\nR. Trent, OEI Audit Coordinator (2831T)\nK. Farmer, TISS Audit Coordinator (2831T)\n\x0c\x0c                   Fiscal Year 2004 Status of EPA\xe2\x80\x99s\n                     Computer Security Program\nThe Federal Information Security Management Act (FISMA) requires the Office of Inspector\nGeneral (OIG) to perform an independent evaluation of the Agency\xe2\x80\x99s information security\nprogram and practices. We performed our work in accordance with Government Auditing\nStandards, issued by the Comptroller General of the United States. The following summarizes\ninformation security work we performed during fiscal 2004.\n\nInformation Technology Security Performance\n\nIn general, Agency officials have taken positive actions to secure EPA\xe2\x80\x99s information resources.\nEPA has adequate physical security controls to protect its network firewalls, including\ncomprehensive continuity of operations plans. However, our audit entitled EPA\xe2\x80\x99s\nAdministration of Network Firewalls Needs Improvement, Report Number 2004-P-00013, dated\nMarch 31, 2004, disclosed logical and configuration control weaknesses which need to be\nimproved to further secure information resources. We recommended several actions to the\nDirector, Office of Technology, Operations, and Planning, to improve EPA\xe2\x80\x99s firewall security,\nincluding: establishing a standard configuration requirement for adequately securing\nworkstations used to remotely administer the network firewalls; modifying the change and patch\nmanagement processes to ensure that when firewall changes and patches are applied they do not\nadversely affect previously applied fixes; and modifying the network vulnerability assessment\nmethodology to include scanning of all firewall components. Agency officials concurred with\nour recommendations and reported that corrective actions were to be implemented by September\n30, 2004.\n\nWe also evaluated the adequacy of policies, procedures, and practices for controlling financial\napplication development and software changes to EPA\xe2\x80\x99s Integrated Financial Management\nSystem (IFMS). Our audit entitled EPA Needs to Improve Change Controls for Integrated\nFinancial Management System, Report Number 2004-P-00026, dated August 24, 2004, reported\na general breakdown of security controls that could undermine the integrity of IFMS software\nlibraries and financial system data. Duties had not been adequately segregated, individuals used\nan inappropriate ID or continued to have system access after no longer needing it, and contractor\npersonnel were granted access to IFMS without a successful background security check.\nFurther, management had not instituted a formal, structured change control process for IFMS to\nensure software program modifications were properly authorized, tested, and approved. We\nmade various recommendations to the Chief Financial Officer and the Acting Assistant\nAdministrator for Administration and Resources Management to improve IFMS controls and\ninstitutionalize security screening procedures. In commenting on the draft report, the Chief\nFinancial Officer concurred with our recommendations and generally outlined appropriate\ncorrective actions to improve security and change controls over IFMS. The Acting Assistant\nAdministrator for Administration and Resources Management did not concur with our\nrecommendations concerning contractor background investigations, asserting that \xe2\x80\x9csuitability\xe2\x80\x9d\nbackground investigations of Federal contractors are not required. Management stated its\nexisting, interim procedures were sufficient to guide offices that chose to initiate background\n\n\n                                                1\n\x0cinvestigations. However, current EPA policy and Federal guidance strongly recommend\nscreening comparable to that for Federal staff, and we strongly urge such screening. A response\nto the final report is due by November 24, 2004.\n\nPlan of Action and Milestones\n\nEPA has developed, implemented, and is managing an adequate, Agency-wide plan of action and\nmilestones (POA&M) process. We reviewed EPA\xe2\x80\x99s POA&M process, which included\nvalidating a sample of \xe2\x80\x9ccompleted\xe2\x80\x9d POA&Ms from the Agency\xe2\x80\x99s December 2003 Quarterly\nReport to the Office of Management and Budget. Our validation methodology included\nreviewing supporting documentation and interviewing appropriate personnel to determine if the\ncorrective actions taken adequately addressed the weakness and complied with applicable\nFederal criteria.\n\nIn general, EPA\xe2\x80\x99s POA&M process incorporates known Information Technology (IT) security\nweaknesses, developed by both program officials and the Chief Information Officer. The Chief\nInformation Officer centrally tracks, maintains, and reviews POA&M activities. We found the\nPOA&M process does not currently prioritize security weaknesses; however Agency officials are\nactively addressing this issue and expect to complete the first phase of a two-phased\nprioritization development process by November 2004. We also identified some errors with the\ndata, but we did not consider them to be of a \xe2\x80\x9cmaterial\xe2\x80\x9d nature and concluded that (1) most of the\ninaccuracies stemmed from the newness of the tracking system and (2) these problems would be\nrectified as soon as OEI issued additional administrative guidance. We made suggestions to\nimprove the quality of the data, and Agency officials discussed our concerns at the 2004\nInformation Security Officer training conference.\n\nCertification and Accreditation\n\nThe Agency\xe2\x80\x99s Certification and Accreditation (C&A) process complies with Federal guidance.\nIn assessing the Agency\xe2\x80\x99s C&A process, we used the Government Accountability Office\xe2\x80\x99s\n(GAO) report entitled Agencies Need to Implement Consistent Processes in Authorizing Systems\nfor Operation, Report Number GAO-04-376, dated June 2004. In a survey of 24 major\ndepartments and agencies, GAO found that agencies need to implement consistent processes in\nauthorizing systems for operation. Based on its field work of six systems, GAO prepared a\nstatement of facts summarizing findings specific to EPA and indicated that the Agency\xe2\x80\x99s C&A\nprocess and specific C&A packages generally complied with Federal C&A criteria. However,\nGAO indicated that they found varying degrees of comprehensiveness at EPA and instances\nwhere required steps were incomplete, such as missing and/or untested contingency plans and\nmissing risk assessments. In addition, although EPA\xe2\x80\x99s system self-assessments stated that\nsecurity controls had been \xe2\x80\x9ctested,\xe2\x80\x9d GAO found limited documentation to support that these\ncontrols had actually been tested on an annual basis. The only evidence GAO found was the\nresults of technical vulnerability assessments, which were conducted as part of periodic risk\nassessments. Further, in some cases, GAO found it difficult to determine the actual risk being\naccepted by EPA in the accreditation decision.\n\n\n\n\n                                                2\n\x0cIncident Detection and Handling\n\nThe Agency\xe2\x80\x99s incident detection and handling practices comply with documented policies and\nprocedures. We reviewed the Agency\xe2\x80\x99s processes for incident handling by examining a sample\nof security incidents taken from the Computer Security Incident Response Center\xe2\x80\x99s weekly\nreports. We tracked these incidents through the process to determine how they were identified,\nremedied, and reported internally, as well as externally, if applicable. We found the Agency\nfollowed defined policies and procedures for reporting incidents internally, as well as externally\nto law enforcement and the US Computer Emergency Readiness Team.\n\nSecurity Training and Awareness\nEPA continues to make improvements in providing and recording training to ensure security\ntraining and awareness of all employees, including contractors and those employees with\nsignificant IT security responsibilities. For example, EPA indicated that 49 percent of personnel\nwith significant IT responsibilities received training in fiscal 2004, up from 31 percent in fiscal\n2003. During this past year, the Agency implemented an on-line IT Security training library\navailable through the Federal government\xe2\x80\x99s E-learning portal (i.e., GoLearn.gov). The\nGoLearn.gov IT security library contains 13 role-based training plans. Agency officials\nidentified employees with significant security responsibilities by 1 of the 13 functional roles, and\npre-registered these employees into the Go-Learn training system. In addition, it was\nrecommended these employees take at least two of the Go-Learn courses by August 31, 2004.\n\n\n\n\n                                                 3\n\x0c                             2004 FISMA Report\nAgency:                            Environmental Protection Agency\n\n\nDate Submitted:        10/6/2004\n\nSubmitted By:          OIG\n\nContact Information:\n           Name:       Pat Hill\n           E-mail:     Hill.Pat@EPA.gov\n           Phone:      202-566-0894\n\x0cSection A: System Inventory and IT Security Performance\nNOTE: ALL of Section A should be completed by BOTH the Agency CIO and the OIG.\n\n\n\n\n    A.1. By bureau (or major agency operating component), identify the total number of programs and systems in the agency and the total number of contractor operations or facilities. The agency CIOs and IG\'s\n    shall each identify the total number that they reviewed as part of this evaluation in FY04. NIST 800-26, is to be used as guidance for these reviews.\n\n\n\n\n    A.2. For each part of this question, identify actual performance in FY04 for the total number of systems by bureau (or major agency operating component) in the format provided below.\n\n\n                                                                               A.1                                                                                        A.2\n\n                                                       A.1.a.              A.1.b.               A.1.c.                 A.2.a.                 A.2.b.                  A.2.c.                  A.2.d.                 A.2.e.\n\n                                                  FY04 Programs        FY04 Systems        FY04 Contractor       Number of systems Number of systems            Number of systems Number of systems        Number of\n                                                                                            Operations or          certified and       with security             for which security with a contingency systems for which\n                                                                                              Facilities            accredited         control costs            controls have been          plan       contingency plans\n                                                                                                                                   integrated into the               tested and                         have been tested\n                                                                                                                                     life cycle of the          evaluated in the last\n                                                                                                                                          system                        year\n\n\n\n                                                   Total    Number     Total     Number     Total    Number       Total    Percent of     Total   Percent of     Total      Percent of    Total   Percent of     Total   Percent of\n               Bureau Name                        Number   Reviewed   Number    Reviewed   Number   Reviewed     Number      Total       Number     Total       Number        Total      Number     Total       Number     Total\n    Office of the Administrator                        1          0         2                   0            0                   0.0%                   0.0%                      0.0%                  0.0%                  0.0%\n    Office of Air and Radiation                        1          0        19          2        2            0                   0.0%         2        10.5%                      0.0%        0         0.0%         0        0.0%\n    Office of Administration and Resources\n    Management                                         1          0        12          4        2            0         1         8.3%         3        25.0%          1          8.3%                   0.0%                  0.0%\n    Office of the Chief Financial Officer              1          0        18         12        0            0                   0.0%         2        11.1%         10         55.6%                   0.0%                  0.0%\n\n    Office of Enforcement and Compliance               1          0        11          2        0            0                   0.0%         2        18.2%                      0.0%                  0.0%                  0.0%\n    Office of Environmental Information -\n    Central                                            2          0        38         16        1            0         3         7.9%        11        28.9%          3           7.9%                  0.0%                  0.0%\n    Office of Environmental Information - Non\n    Central*                                                      0                             7\n    Office of General Counsel                          1          0         1          0        0            0                    0.0%                   0.0%                    0.0%                    0.0%                 0.0%\n    Office of International Activities                 1          0         1          0        0            0                    0.0%                   0.0%                    0.0%                    0.0%                 0.0%\n    Office of Inspector General                        1          0         9          9        0            0         9        100.0%        9        100.0%         8         88.9%         9        100.0%        9      100.0%\n    Office of Prevention, Pesticides, and Toxic\n    Substances                                         1          0         9          2        0            0         1        11.1%         1        11.1%          1         11.1%                   0.0%                  0.0%\n\n    Office of Research and Development                 1          0        16          1        0            0                   0.0%                   0.0%                      0.0%        1         6.3%         1        6.3%\n    Office of Solid Waster and Emergency\n    Response                                           1          0        13          3        7            0                    0.0%        3        23.1%                     0.0%         1          7.7%        0        0.0%\n    Office of Water                                    1          0        10          3        0            0                    0.0%        2        20.0%          1         10.0%                    0.0%                 0.0%\n    Region 1 - Boston                                  1          0         1          0        0            0                    0.0%                  0.0%                     0.0%                    0.0%                 0.0%\n    Region 2 - New York                                1          0         1          1        0            0                    0.0%                  0.0%                     0.0%         1        100.0%        1      100.0%\n    Region 3 - Philadelphia                            1          0         1          0        0            0                    0.0%                  0.0%                     0.0%                    0.0%                 0.0%\n    Region 4 - Atlanta                                 1          0         1          1        0            0         1        100.0%                  0.0%                     0.0%                    0.0%                 0.0%\n    Region 5 - Chicago                                 1          0         3          0        0            0                    0.0%                  0.0%                     0.0%                    0.0%                 0.0%\n    Region 6 - Dallas                                  1          0         2          0        0            0                    0.0%                  0.0%                     0.0%                    0.0%                 0.0%\n    Region 7 - Kansas City                             1          0         1          0        0            0                    0.0%                  0.0%                     0.0%                    0.0%                 0.0%\n    Region 8 - Denver                                  1          0         2          0        0            0                    0.0%                  0.0%                     0.0%                    0.0%                 0.0%\n    Region 9 - San Francisco                           1          0         1          0        0            0                    0.0%                  0.0%                     0.0%                    0.0%                 0.0%\n    Region 10 - Seattle                                1          0         1          0        0            0                    0.0%                  0.0%                     0.0%                    0.0%                 0.0%\nAgency Total                                          24          0       173         56       19            0        15          8.7%       35        20.2%         24         13.9%        12          6.9%       11        6.4%\nComments: * The OIG did not differentiate between OEI-Central and OEI-Non-Central programs and, therefore, reported all systems reviewed under OEI-Central.\nA.1.b. - The OIG did not use NIST 800-26 in its entirety for these reviews.\nA.2 - The universe of systems reviewed for A.2.a. through A.2.e. represents unique subsets of the Agency total of 173; based on individual reviews conducted by GAO or the OIG.\n      The universe for A.2.a.through A.2.e. is 15, 35, 24, 13 and 13 respectively.\nThis page reflects the OIG response, which differs from the Agency Response. Per OMB requirements, the Agency response has been submitted under separate cover.\n\x0c                                                                                                        A.3\n\n\nA.3. Evaluate the degree to which the following statements reflect the status in your agency, by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in\nthe Comment area provided below.\n\n\n                                                                  Statement                                                                                            Evaluation\n\n\n        a. Agency program officials and the agency CIO have used appropriate methods to ensure that contractor provided services or\n        services provided by another agency for their program and systems are adequately secure and meet the requirements of FISMA, OMB                  Almost Always, or 96-100% of the time\n        policy and NIST guidelines, national security policy, and agency policy.\n\n\n\n        b. The reviews of programs, systems, and contractor operations or facilities, identified above, were conducted using the NIST self-\n                                                                                                                                                         Almost Always, or 96-100% of the time\n        assessment guide, 800-26.\n\n\n\n        c. In instances where the NIST self-assessment guide was not used to conduct reviews, the alternative methodology used addressed\n        all elements of the NIST guide.\n\n\n\n        d. The agency maintains an inventory of major IT systems and this inventory is updated at least annually.                                        Almost Always, or 96-100% of the time\n\n\n\n        e. The OIG was included in the development and verification of the agency\xe2\x80\x99s IT system inventory.                                                 Almost Always, or 96-100% of the time\n\n\n\n        f. The OIG and the CIO agree on the total number of programs, systems, and contractor operations or facilities.                                  Almost Always, or 96-100% of the time\n\n\n        g. The agency CIO reviews and concurs with the major IT investment decisions of bureaus (or major operating components) within the\n                                                                                                                                                         Almost Always, or 96-100% of the time\n        agency.\n\n                                                                  Statement                                                                                            Yes or No\n\n\n        h. The agency has begun to assess systems for e-authentication risk.                                                                                              Yes\n\n\n        i. The agency has appointed a senior agency information security officer that reports directly to the CIO.                                                        Yes\n\n\nComments:\nA.3.c. is actually "Not Applicable" since the NIST self-assessment guide was used to conduct all system reviews.\n\x0cSection B: Identification of Significant Deficiencies\nNOTE: ALL of Section B should be completed by BOTH the Agency CIO and the OIG.\n\n\n\n   B.1. By bureau, identify all FY 04 significant deficiencies in policies, procedures, or practices required to be reported under existing law. Describe each on a separate\n   row, and identify which are repeated from FY03. In addition, for each significant deficiency, indicate whether a POA&M has been developed. Insert rows as needed.\n\n\n                                                                                      B.1.\n                                                                                               FY04 Significant Deficiencies\n                                                           Total Number                                                                                            POA&M\n                                              Total          Repeated                                                                                            developed?\n             Bureau Name                     Number         from FY03                     Identify and Describe Each Significant Deficiency                       Yes or No\n\n                                                                           For FY04, EPA did not have any significant deficiencies in policies, procedures, or\n                                                                           practices to report.\n\n\n\n\nAgency Total                                           0               0\n\n\nComments:\n\x0cSection C: OIG Assessment of the POA&M Process\nNOTE: Section C should *ONLY* be completed by the OIG. The CIO should leave this section blank.\n\n   C.1. Through this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency-wide plan\n   of action and milestone (POA&M) process. This question is for IGs only. Evaluate the degree to which the following statements reflect the status in your\n   agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the Comment area provided below.\n\n                                                                                     C.1\n                                                   Statement                                                                           Evaluation\n\n        a. Known IT security weaknesses, from all components, are incorporated into the POA&M.                       Almost Always, or 96-100% of the time\n\n        b. Program officials develop, implement, and manage POA&Ms for systems they own and\n                                                                                                                     Almost Always, or 96-100% of the time\n        operate (systems that support their program or programs) that have an IT security weakness.\n\n        c. Program officials report to the CIO on a regular basis (at least quarterly) on their remediation\n                                                                                                                     Almost Always, or 96-100% of the time\n        progress.\n\n        d. CIO develops, implements, and manages POA&Ms for every system they own and operate (a\n                                                                                                                     Almost Always, or 96-100% of the time\n        system that supports their program or programs) that has an IT security weakness.\n\n        e. CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.              Almost Always, or 96-100% of the time\n\n        f. The POA&M is the authoritative agency and IG management tool to identify and monitor\n                                                                                                                     Almost Always, or 96-100% of the time\n        agency actions for correcting information and IT security weaknesses.\n        g. System-level POA&Ms are tied directly to the system budget request through the IT business\n                                                                                                                     Almost Always, or 96-100% of the time\n        case as required in OMB budget guidance (Circular A-11).\n\n        h. OIG has access to POA&Ms as requested.                                                                    Almost Always, or 96-100% of the time\n\n        i. OIG findings are incorporated into the POA&M process.                                                     Almost Always, or 96-100% of the time\n        j. POA&M process prioritizes IT security weaknesses to help ensure that significant IT security weaknesses\n                                                                                                                     Rarely, or 0-50% of the time\n        are addressed in a timely manner and receive appropriate resources.\n\n\n\nComments:\nC.1.j. - The Agency has begun a process to prioritize POA&Ms. They are currently assigning and assessing risk values for the NIST 800-26 questions. The\nAgency expects to complete this phase by November 2004. In the next phase, the Agency plans to apply a cost estimate to the risks, with a planned completion of\nMay 2005.\n\x0c  C.1 OIG Assessment of the Certification and Accreditation Process\n  Section C should only be completed by the OIG. OMB is requesting IGs to assess the agency\xe2\x80\x99s certification and accreditation process in\n  order to provide a qualitative assessment of this critical activity. This assessment should consider the quality of the Agency\xe2\x80\x99s certification and\n  accreditation process. Any new certification and accreditation work initiated after completion of NIST Special Publication 800-37 should be\n  consistent with NIST Special Publication 800-37. This includes use of the FIPS 199, \xe2\x80\x9cStandards for Security Categorization of Federal\n  Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing\n  risk assessments and security plans. Earlier NIST guidance is applicable to any certification and accreditation work completed or initiated\n  before finalization of NIST Special Publication 800-37. Agencies were not expected to use NIST Special Publication 800-37 as guidance\n  before it became final.\n\n\n                                            Statement                                                                      Evaluation\nComments: In assessing the Agency\xe2\x80\x99s Certification and Accreditation (C&A) process, we used audit\nwork performed by the Government Accountability Office (GAO). In a statement of facts summarizing\nGAO\xe2\x80\x99s C&A review at EPA, GAO indicated that the Agency\xe2\x80\x99s C&A process and specific C&A packages\ngenerally complied with C&A criteria found in federal guidance. However, GAO also indicated that they\nfound varying degrees of comprehensiveness and instances where required steps were incomplete, such\nas missing and/or untested contingency plans, and missing risk assessments. In addition, although EPA\xe2\x80\x99s\nsystem self-assessments stated that security controls had been \xe2\x80\x9ctested,\xe2\x80\x9d GAO found limited\ndocumentation to support that these controls had actually been tested on an annual basis. The only\navailable evidence GAO could find was the results of technical vulnerability assessments, which were\nconducted as part of periodic risk assessments. Further, in some cases GAO found it difficult to\ndetermine the actual residual risk being accepted in the accreditation decision. Based on GAO\'s findings,\nwe find EPA\'s C&A process to be satisfactory.                                                               Satisfactory\n\x0cSection D\nNOTE: ALL of Section D should be completed by BOTH the Agency CIO and the OIG.\n\n\n\n   D.1. First, answer D.1. If the answer is yes, then proceed. If no, then skip to Section E. For D.1.a-f, identify whether agency-wide security configuration\n   requirements address each listed application or operating system (Yes, No, or Not Applicable), and then evaluate the degree to which these configurations\n   are implemented on applicable systems. For example: If your agency has a total of 200 systems, and 100 of those systems are running Windows 2000,\n   the universe for evaluation of degree would be 100 systems. If 61 of those 100 systems follow configuration requirement policies, and the configuration\n   controls are implemented, the answer would reflect "yes" and "51-70%". If appropriate or necessary, include comments in the Comment area provided\n   below.\n\n\n   D.2. Answer Yes or No, and then evaluate the degree to which the configuration requirements address the patching of security vulnerabilities. If\n   appropriate or necessary, include comments in the Comment area provided below.\n\n                                                                       D.1. & D.2.                                        D.1.                D.2.\n\n                                                                                                                          Yes,\n                                                                                                                         No, or\n                                                                                                                          N/A             Evaluation\nD.1. Has the CIO implemented agency-wide policies that require detailed specific security configurations and what is\nthe degree by which the configurations are implemented?\n                                                                                                                                    Almost Always, or 96-100%\n                 a. Windows XP Professional\n                                                                                                                          Yes       of the time\n                                                                                                                                    Almost Always, or 96-100%\n                 b. Windows NT\n                                                                                                                          Yes       of the time\n                                                                                                                                    Almost Always, or 96-100%\n                 c. Windows 2000 Professional\n                                                                                                                          Yes       of the time\n\n                 d. Windows 2000                                                                                                    Rarely, or 0-50% of the time\n                                                                                                                          Yes\n                                                                                                                                    Almost Always, or 96-100%\n                 e. Windows 2000 Server\n                                                                                                                          Yes       of the time\n\n                                                                                                                                    Almost Always, or 96-100%\n                 f. Windows 2003 Server\n                                                                                                                          Yes       of the time\n\n                                                                                                                                    Almost Always, or 96-100%\n                 g. Solaris\n                                                                                                                          Yes       of the time\n\n                 h. HP-UX\n                                                                                                                          Yes\n                                                                                                                                    Almost Always, or 96-100%\n                 i. Linux\n                                                                                                                          Yes       of the time\n\n                 j. Cisco Router IOS\n                                                                                                                           No\n                 k. Oracle                                                                                                          Rarely, or 0-50% of the time\n                                                                                                                          Yes\n                                                                                                                                    Almost Always, or 96-100%\n                 l. Other. Specify: Netware, HP Tru 64, IBM AIX, and SGI IRIX                                             Yes       of the time\n                                                                                                                         Yes or\n                                                                                                                                          Evaluation\n                                                                                                                          No\n        D.2. Do the configuration requirements implemented above in D.1.a-f., address patching of security                          Almost Always, or 96-\n        vulnerabilities?                                                                                                  Yes       100% of the time\nComments: D.1 - Agency officials compiled the evaluation responses in late September 2004, and therefore, the OIG did not independently verify them.\nD.1.h. - The Agency did not evaluate this configuration because it is no longer used in the Agency.\n\x0cSection E: Incident Detection and Handling Procedures\nNOTE: ALL of Section E should be completed by BOTH the Agency CIO and the OIG.\n\n\n   E.1. Evaluate the degree to which the following statements reflect the status at your agency. If appropriate or necessary, include comments in the Comment area provided\n   below.\n\n                                                                                          E.1\n\n                                                           Statement                                                                                    Evaluation\n\n\n                 a. The agency follows documented policies and procedures for reporting incidents internally.                          Almost Always, or 96-100% of the time\n\n                 b. The agency follows documented policies and procedures for external reporting to law enforcement\n                                                                                                                                       Almost Always, or 96-100% of the time\n                 authorities.\n                 c. The agency follows defined procedures for reporting to the United States Computer Emergency Readiness\n                                                                                                                                       Almost Always, or 96-100% of the time\n                 Team (US-CERT). http://www.us-cert.gov\n                                                                                         E.2.\n   E.2. Incident Detection Capabilities.\n                                                                                                                                          Number of         Percentage of\n                                                                                                                                           Systems          Total Systems\n                         a. How many systems underwent vulnerability scans and penetration tests in FY04?                                              95         55%\n                         b. Specifically, what tools, techniques, technologies, etc., does the agency use to mitigate IT security risk?\n                                  Answer:\n                                     The OIG and Agency use Symantec NetRecon, NESSUS, and Internet Security Systems to conduct technical vulnerability assessments. The Agency Tools\n                                     also include NMap, TNT, EtherPeek, and PatchLink. Technical controls are firewalls, IDSs, perimeter controls, configuration management, and CSIRC and\n                                     vulnerability management solutions.\n\nComments:\nE.1. - The OIG used a sample to evaluate the Agency\'s compliance with defined policies and procedures for reporting incidents internally and externally to\n      law enforcement authorities and to US-CERT.\nE.2.a. - This number reflects scans performed by the OIG as well as the Agency. The OIG performed a variety of scans on 13 systems.\n\x0cSection F: Incident Reporting and Analysis\nNOTE: ALL of Section F should be completed by BOTH the Agency CIO and the OIG.\n\n   F.1. For each category of incident listed: identify the total number of successful incidents in FY04, the number of incidents reported to US-CERT, and the\n   number reported to law enforcement. If your agency considers another category of incident type to be high priority, include this information in category VII,\n   "Other". If appropriate or necessary, include comments in the Comment area provided below\n   F.2. Identify the number of systems affected by each category of incident in FY04. If appropriate or necessary, include comments in the Comment area\n   provided below.\n                                                                          F.1., F.2. & F.3.\n                                                                                   F.1.                                                  F.2.\n                                                                     Number of Incidents, by category:                Number of systems affected, by category, on:\n\n\n\n                                                                    F.1.a               F.1.b.         F.1.c.         F.2.a.          F.2.b.            F.2.c.\n                                                                 Reported           Reported to US- Reported to  Systems with Systems without        How many\n                                                                 internally             CERT            law     complete and up- complete and up-    successful\n                                                                                                    enforcement   to-date C&A      to-date C&A incidents occurred\n                                                                                                                                                      for known\n                                                                                                                                                  vulnerabilities for\n                                                                                                                                                  which a patch was\n                                                                                                                                                      available?\n\n\n\n                                                                                                                    Number of        Number of         Number of\n                                                                Number of            Number of      Number of        Systems          Systems           Systems\n                                                                Incidents            Incidents      Incidents        Affected         Affected          Affected\n     I. Root Compromise                                                         0               0               0                0               0                    0\n     II. User Compromise                                                        0               0               0                0               0                    0\n     III. Denial of Service Attack                                              1               1               0                1               0                    0\n     IV. Website Defacement                                                     0               0               0                0               0                    0\n     V. Detection of Malicious Logic                                            1               1               0                1               0                    0\n     VI. Successful Virus/worm Introduction                                   224             224               1               63               2                   12\n     VII. Other                                                                29              29               3                3               0                    0\n                                                     Totals:                  255             255               4               68               2                   12\n\nComments:\nAgency officials compiled this data in late September 2004, and therefore, the OIG did not independently verify the data. However,\nduring the OIG review of the Agency\'s incident handling process, we did not find evidence contradicting the Agency response.\n\x0cSection G: Training\nNOTE: ALL of Section G should be completed by BOTH the Agency CIO and the OIG.\n\n\n   G.1. Has the agency CIO ensured security training and awareness of all employees, including contractors and those employees with significant IT security\n   responsibilities? If appropriate or necessary, include comments in the Comment area provided below.\n                                                                                G.1.\n     G.1.a.                  G.1.b.                    G.1.c.                  G.1.d.                            G.1.e.                             G.1.f.\n\nTotal number of Employees that received IT Total number of Employees with significant               Briefly describe training provided          Total costs for\n employees in security awareness training employees with security responsibilities that                                                          providing IT\n     FY04        in FY04, as described in   significant IT received specialized training,                                                     security training in\n                 NIST Special Publication      security     as described in NIST Special                                                             FY04\n                         800-50            responsibilities Publications 800-50 and 800-                                                           (in $\'s)\n                                                                         16\n\n\n\n\n                    Number        Percentage                          Number       Percentage\n\n\n                                                                                                     GoLearn and Other Training\n         23,404         21,024        90%               821            406              49%                                                       $476,802\n                                                                                                 (See Comments for brief description)\n\n                                                                                G.2.\n                                                                             Yes or No\n   a. Does the agency explain policies regarding peer-to-peer\n   file sharing in IT security awareness training, ethics training,             No\n   or any other agency wide training?\n                                                                 Yes           No\nComments:\nAgency officials compiled this data in late September 2004, and therefore, the OIG did not independently verify the data. However, during\nthe OIG review of the Agency\'s training process, we did not find evidence contradicting the Agency response.\n\nG.1.e. - Government Online Learning Center\'s (GoLearn) IT Security Training Library, composed of more than 75 IT security-related\ncourses in Data Security, Network Security, Security Planning and Security Policy/Guidelines; National Defense University provides training\nin Information Resource Management; and the EPA\'s 2004 IT Security and Operations Conference in Research Triangle Park, included (but\nnot all inclusive) training modules in Anytime Anyplace Access, Risk Assessments, Security Plans, Certification and Accreditation, Wireless\nLAN, Patch Management, Contingency Planning, Incident Response, and Bindview.\n\x0c'